DMVPN is a site-to-site VPN tunneling technology that was developed by Cisco to provide secure connectivity to remote offices. It is able to not only send data across the VPN tunnel, but also voice and video. The biggest advantage of using DMVPN is that in addition to encrypting the data that flows through the tunnel, it supports a full mesh design using a hub-and-spoke architecture. DMVPN is able to support three phases of configuration that allow the administrator to support different use cases.
With DMVPN Phase 2, all spokes (remote sites) will have the ability to send data directly to themselves instead of using the hub as a central point of distribution. This process is made possible via the spoke sending an NHRP query to the hub asking it to share the public IP information for the spoke that it is trying to reach. The hub will then provide an NHRP response with the public IP of the spoke. The hub is queried for this information because when spokes register with the hub, they share this information with the hub. The hub keeps track of this information on the NHRP database.
DMVPN is made up of two devices:
Hub: As the main device in the DMVPN tunnel network, the hub allows all the remote spoke devices to connect to one central location to pass traffic, so the spokes can send traffic not only to the hub but to each other.
Spoke: The spoke device is used to connect remote sites together via the hub. If a remote site wants to send data to another remote site, it uses the hub to forward the traffic to the spoke that is connected to the other site.
DMVPN has five main components:
mGRE: The Multipoint Generic Routing Encapsulation (mGRE) interface provides the main connection into the DMVPN tunnel, making the configuration simpler to manage. The mGRE interface unicast IP, multicast IP, and non-IP traffic. The router that is configured to use the mGRE interface uses routing to direct traffic into the DMVPN tunnel.
NHRP server: The DMVPN network uses private IPs to forward traffic, but the routers still need a public IP to build the DMVPN tunnel. In order to do this in a dynamic way, NHRP is used to learn the public interface address on each spoke and register it with the NHRP hub. The hub will be considered the server and the spokes the client.
Routing protocols: Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), and Border Gateway Protocol (BGP) can be used to advertise the private networks to the hub so that they can be distributed to other spokes.
IPsec: IP Security (IPsec) is the main framework that is used to securely encapsulate the GRE tunnel traffic.
NHRP client: The client registers the public interface IP with the hub as soon as the router boots the operating system. The spoke will when query the NHRP server for public IP information form the server when it needs to build a DMVPN tunnel.
The hub is the central point in the DMVPN network and acts as the concentrator or primary point of contact for all remote spokes to communicate security. The hub in most cases has a static public IP address to make it easy for spoke routers to establish connections with it.
To configure a hub, you will first need an Internet Security Association and Key Management Protocol (ISAKMP) policy:
hub-0#configure terminal
hub-0(config)#crypto isakmp policy 20
hub-0(config-isakmp)#encryption aes 256
hub-0(config-isakmp)#hash sha384
hub-0(config-isakmp)#authentication pre-share
hub-0(config-isakmp)#group 14
hub-0(config-isakmp)#exit
Note: If an ISAKMP policy is not configured, the Cisco IOS devices will assume the default ISAKMP policy.
In order to provide ISAKMP security to keep rogue spokes from entering the DMVPN network, we will need to configure a ISAKMP preshared key on the hub:
hub-0(config)#crypto isakmp key DmVPNmyKEY! address 13.0.0.1 #spoke-0
hub-0(config)#crypto isakmp key DmVPNmyKEY! address 14.0.0.1 #spoke-1
hub-0(config)#crypto isakmp key DmVPNmyKEY! address 15.0.0.1 #spoke-2
hub-0(config)#crypto isakmp key DmVPNmyKEY! address 16.0.0.1 #spoke-3
In order to protect the traffic while going through the mGRE interface, a transform set needs to be configured and applied to an IPsec profile:
hub-0(config)#crypto ipsec transform-set MyDMVPN-Transform esp-aes 256 esp-sha256-hmac
hub-0(cfg-crypto-trans)#mode transport
hub-0(cfg-crypto-trans)exit
hub-0(config)#crypto ipsec profile DMVPNmyProfile
hub-0(ipsec-profile)#set transform-set MyDMVPN-Transform
Note: Transport mode is being used instead of tunnel mode, which is the default. This is because we are using mGRE as the tunneling protocol.
The next step is to configure an mGRE interface, assuming that the hub router already has an interface IP configured that is public-facing.
hub-0(config)#interface Tunnel 0
hub-0(config-if)#tunnel mode gre multipoint
hub-0(config-if)#tunnel key 12345
hub-0(config-if)#tunnel source gigabitEthernet 0/0
hub-0(config-if)#ip address 10.0.0.1 255.255.255.0
On the mGRE interface, NHRP needs to be configured, and because we are configuring the hub, we will need to make NHRP the server.
hub-0(config-if)#ip nhrp network-id 1
hub-0(config-if)#ip nhrp authentication 1234!
hub-0(config-if)#ip nhrp map multicast dynamic
By default, the mGRE interface is going to use GRE encapsulation, which has no encryption. To enable encryption on the mGRE interface, you will need to apply the IPsec profile to the interface.
hub-0(config-if)#tunnel protection ipsec profile DMVPNmyProfile
GRE and IPsec add a lot of overhead on the IP packet and will introduce fragmentation issues in the tunnel. To avoid this problem, you can adjust the maximum transmission unit (MTU) and maximum segment size (MSS) on the mGRE interface.
hub-0(config-if)#ip mtu 1400
hub-0(config-if)#ip tcp ad
hub-0(config-if)#ip tcp adjust-mss 1360
hub-0(config-if)#end
The spoke is the remote end of the site or branch office that needs to communicate with other spokes and with the central hub security. Each spoke site can have its own private IP network behind it that it manages. Spokes in most cases don’t have a static public IP, which can make it challenging to establishing direct, point-to-point connectivity when using DMVPN.
To configure a spoke, you will first need an ISAKMP policy:
spoke-0#configure terminal
spoke-0(config)#crypto isakmp policy 20
spoke-0(config-isakmp)#encryption aes 256
spoke-0(config-isakmp)#hash sha384
spoke-0(config-isakmp)#authentication pre-share
spoke-0(config-isakmp)#group 14
spoke-0(config-isakmp)#exit
Each spoke will need to have an ISAKMP key configured that points to the hub.
spoke-0(config)#crypto isakmp key DmVPNmyKEY! address 11.0.0.1
The spokes also will require a transform set and IPsec profile.
spoke-0(config)#crypto ipsec transform-set MyDMVPN-Transform esp-aes 256 esp-sha256-hmac
spoke-0(cfg-crypto-trans)#mode transport
spoke-0(cfg-crypto-trans)exit
spoke-0(config)#crypto ipsec profile DMVPNmyProfile
spoke-0(ipsec-profile)#set transform-set MyDMVPN-Transform
The next step is to configure an mGRE interface, assuming that the hub router already has an interface IP configured that is public-facing. The mGRE interface allows the spoke to create dynamic IPsec connections not only to the hub but also other spokes, meaning that we no longer need the tunnel destination 11.0.0.1
command on the spoke.
spoke-0(config)#interface Tunnel0
spoke-0(config-if)# tunnel mode gre multipoint
spoke-0(config-if)# tunnel key 12345
spoke-0(config-if)# ip address 10.0.0.x 255.255.255.0 # x = IP of Spoke
spoke-0(config-if)# tunnel source GigabitEthernet0/0
On the mGRE interface, NHRP needs to be configured, and because we are configuring the spoke, we will need to make NHRP the client. The mapping for the NHRP server will need to be added as well.
The ip nhrp map multicast
command is used to configure a mapping between the multicast IP address used for NHRP traffic and the physical IP address of a specific remote DMVPN spoke. NHRP is used in DMVPN networks to dynamically discover the public IP address of remote spokes and to facilitate direct communication between spokes without traffic needing to flow through the hub. Without this command, Phase 2 will not work!
spoke-0(config-if)# ip nhrp network-id 1
spoke-0(config-if)# ip nhrp authentication 1234!
spoke-0(config-if)# ip nhrp map 10.0.0.1 11.0.0.1 # mGRE IP, and Public IP
spoke-0(config-if)# ip nhrp nhs 10.0.0.1 # mGRE Hub IP.
spoke-0(config-if)# ip nhrp map multicast 11.0.0.1
By default, the mGRE interface is going to use GRE encapsulation, which has no encryption. To enable encryption on the mGRE interface, you will need to apply the IPsec profile to the interface.
spoke-0(config-if)#tunnel protection ipsec profile DMVPNmyProfile
GRE and IPsec add a lot of overhead on the IP packet and will introduce fragmentation issues in the tunnel. To avoid this problem, you can adjust the MTU and MSS on the mGRE interface.
spoke-0(config-if)#ip mtu 1400
spoke-0(config-if)#ip tcp ad
spoke-0(config-if)#ip tcp adjust-mss 1360
spoke-0(config-if)#end
Because we are using DMVPN Phase 2, we need to make sure that the spokes can send traffic to each other. This task is made possible by using the no ip split-horizon eigrp 1
and no ip next-hop-self eigrp 1
commands.
hub-0(config-if)#no ip split-horizon eigrp 1
hub-0(config-if)#no ip next-hop-self eigrp 1
The biggest problem with any VPN system is routing, routing, routing! If routing is not working, everything will break, and you will not be able to communicate to your spoke remote sites. For example, if the administrator forgets to configure the hub-0(config-if)#no ip next-hop-self eigrp 1
command, the spoke will only be able to use the hub as a central point of distribution to send traffic to other spokes.
spoke-0#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/24 is directly connected, Tunnel0
L 10.0.0.2/32 is directly connected, Tunnel0
11.0.0.0/24 is subnetted, 1 subnets
S 11.0.0.0 [1/0] via 13.0.0.2
13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 13.0.0.0/24 is directly connected, GigabitEthernet0/0
L 13.0.0.1/32 is directly connected, GigabitEthernet0/0
14.0.0.0/24 is subnetted, 1 subnets
S 14.0.0.0 [1/0] via 13.0.0.2
15.0.0.0/24 is subnetted, 1 subnets
S 15.0.0.0 [1/0] via 13.0.0.2
16.0.0.0/24 is subnetted, 1 subnets
S 16.0.0.0 [1/0] via 13.0.0.2
172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
D 172.16.1.0/24 [90/26880256] via 10.0.0.1, 00:00:08, Tunnel0
C 172.16.2.0/24 is directly connected, GigabitEthernet0/1
L 172.16.2.1/32 is directly connected, GigabitEthernet0/1
D 172.16.3.0/24 [90/28160256] via 10.0.0.1, 00:00:06, Tunnel0
D 172.16.4.0/24 [90/28160256] via 10.0.0.1, 00:00:05, Tunnel0
D 172.16.5.0/24 [90/28160256] via 10.0.0.1, 00:00:06, Tunnel0
Notice that all the spokes need the 10.0.0.1 hub mGRE IP to reach the other spokes. To fix this problem, use the hub-0(config-if)#no ip next-hop-self eigrp 1
command.
hub-0(config)#interface Tunnel 0
hub-0(config-if)#no ip next-hop-self eigrp 1
hub-0(config-if)#
*Sep 26 18:44:21.773: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.5 (Tunnel0) is down: next_hop_self value changed
*Sep 26 18:44:21.775: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.2 (Tunnel0) is down: next_hop_self value changed
*Sep 26 18:44:21.776: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.3 (Tunnel0) is down: next_hop_self value changed
*Sep 26 18:44:21.776: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.4 (Tunnel0) is down: next_hop_self value changed
*Sep 26 18:44:23.691: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.4 (Tunnel0) is up: new adjacency
*Sep 26 18:44:23.729: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.3 (Tunnel0) is up: new adjacency
*Sep 26 18:44:23.742: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.2 (Tunnel0) is up: new adjacency
*Sep 26 18:44:23.781: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.5 (Tunnel0) is up: new adjacency
After configuring hub-0(config-if)#no ip next-hop-self eigrp 1
on the mGRE interface of the hub, the spokes will get direct routes to the spoke routers.
spoke-0#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/24 is directly connected, Tunnel0
L 10.0.0.2/32 is directly connected, Tunnel0
11.0.0.0/24 is subnetted, 1 subnets
S 11.0.0.0 [1/0] via 13.0.0.2
13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 13.0.0.0/24 is directly connected, GigabitEthernet0/0
L 13.0.0.1/32 is directly connected, GigabitEthernet0/0
14.0.0.0/24 is subnetted, 1 subnets
S 14.0.0.0 [1/0] via 13.0.0.2
15.0.0.0/24 is subnetted, 1 subnets
S 15.0.0.0 [1/0] via 13.0.0.2
16.0.0.0/24 is subnetted, 1 subnets
S 16.0.0.0 [1/0] via 13.0.0.2
172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
D 172.16.1.0/24 [90/26880256] via 10.0.0.1, 00:02:03, Tunnel0
C 172.16.2.0/24 is directly connected, GigabitEthernet0/1
L 172.16.2.1/32 is directly connected, GigabitEthernet0/1
D 172.16.3.0/24 [90/28160256] via 10.0.0.3, 00:02:02, Tunnel0
D 172.16.4.0/24 [90/28160256] via 10.0.0.4, 00:01:56, Tunnel0
D 172.16.5.0/24 [90/28160256] via 10.0.0.5, 00:02:01, Tunnel0
Notice that the spokes can now send traffic to the mGRE interface of each of the other spokes on the DMVPN network.
We now have full direct communication to all spokes on the DMVPN network.
# Hub Local Network
spoke-0#ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/6/10 ms
# Spoke-0 Local Network
spoke-0#ping 172.16.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
# Spoke-1 Local Network
spoke-0#ping 172.16.3.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 22/27/31 ms
# Spoke-2 Local Network
spoke-0#ping 172.16.4.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.4.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 26/39/63 ms
# Spoke-3 Local Network
spoke-0#ping 172.16.5.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.5.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 23/41/73 ms
spoke-0#
Once DMVPN Phase 2 is configured, a basic check needs to be done. For example, verify ISAKMP from the hub and the spoke sides.
hub-0#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
11.0.0.1 15.0.0.1 QM_IDLE 1026 ACTIVE
11.0.0.1 14.0.0.1 QM_IDLE 1025 ACTIVE
11.0.0.1 13.0.0.1 QM_IDLE 1024 ACTIVE
11.0.0.1 16.0.0.1 QM_IDLE 1027 ACTIVE
IPv6 Crypto ISAKMP SA
As you can see, the hub ISAKMP connects to all the spokes via their public IPs.
spoke-0# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
11.0.0.1 13.0.0.1 QM_IDLE 1005 ACTIVE
IPv6 Crypto ISAKMP SA
spoke-0#
However, the spokes only have connections to the hub and not to other spokes.
hub-0#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 11.0.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (11.0.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (16.0.0.1/255.255.255.255/47/0)
current_peer 16.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 530, #pkts encrypt: 530, #pkts digest: 530
#pkts decaps: 514, #pkts decrypt: 514, #pkts verify: 514
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 11.0.0.1, remote crypto endpt.: 16.0.0.1
plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x816AB9E2(2171255266)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xE595680F(3851773967)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 91, flow_id: SW:91, sibling_flags 80004000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4372137/1541)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x816AB9E2(2171255266)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 92, flow_id: SW:92, sibling_flags 80004000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4372133/1541)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (11.0.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (15.0.0.1/255.255.255.255/47/0)
current_peer 15.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 543, #pkts encrypt: 543, #pkts digest: 543
#pkts decaps: 529, #pkts decrypt: 529, #pkts verify: 529
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 11.0.0.1, remote crypto endpt.: 15.0.0.1
plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x495100D3(1230045395)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x47C5AC28(1204137000)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 87, flow_id: SW:87, sibling_flags 80000000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4204306/1492)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x495100D3(1230045395)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 88, flow_id: SW:88, sibling_flags 80000000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4204303/1492)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (11.0.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (14.0.0.1/255.255.255.255/47/0)
current_peer 14.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 561, #pkts encrypt: 561, #pkts digest: 561
#pkts decaps: 552, #pkts decrypt: 552, #pkts verify: 552
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 11.0.0.1, remote crypto endpt.: 14.0.0.1
plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x969B3DA9(2526756265)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x21EDE161(569237857)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 85, flow_id: SW:85, sibling_flags 80000000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4358244/1432)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x969B3DA9(2526756265)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 86, flow_id: SW:86, sibling_flags 80000000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4358242/1432)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (11.0.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (13.0.0.1/255.255.255.255/47/0)
current_peer 13.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 752, #pkts encrypt: 752, #pkts digest: 752
#pkts decaps: 741, #pkts decrypt: 741, #pkts verify: 741
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 11.0.0.1, remote crypto endpt.: 13.0.0.1
plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x2B46091A(726010138)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xB7AF4FB5(3081719733)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 83, flow_id: SW:83, sibling_flags 80000000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4271107/872)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x2B46091A(726010138)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 84, flow_id: SW:84, sibling_flags 80000000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4271104/872)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
hub-0#$
As you can see from the above output, you will get a view from all the spokes connected to the hub, how many packets are being encrypted, and the security parameter index (SPI) database information for each spoke.
spoke-0#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 13.0.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (13.0.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (16.0.0.1/255.255.255.255/47/0)
current_peer 16.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 13.0.0.1, remote crypto endpt.: 16.0.0.1
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (13.0.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (15.0.0.1/255.255.255.255/47/0)
current_peer 15.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 13.0.0.1, remote crypto endpt.: 15.0.0.1
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (13.0.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (14.0.0.1/255.255.255.255/47/0)
current_peer 14.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 13.0.0.1, remote crypto endpt.: 14.0.0.1
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (13.0.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (11.0.0.1/255.255.255.255/47/0)
current_peer 11.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 721, #pkts encrypt: 721, #pkts digest: 721
#pkts decaps: 731, #pkts decrypt: 731, #pkts verify: 731
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 13.0.0.1, remote crypto endpt.: 11.0.0.1
plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xB7AF4FB5(3081719733)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x2B46091A(726010138)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 19, flow_id: SW:19, sibling_flags 80004000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4319926/976)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB7AF4FB5(3081719733)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 20, flow_id: SW:20, sibling_flags 80004000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4319929/976)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
spoke-0#
As you can see above, from the spoke point of view, with Phase 2 DMVPN, we now have direct connections to other spokes to send traffic.
hub-0#show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable, I2 - Temporary
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface Tunnel0 is up/up, Addr. is 10.0.0.1, VRF ""
Tunnel Src./Dest. addr: 11.0.0.1/Multipoint, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect "DMVPNmyProfile"
Interface State Control: Disabled
nhrp event-publisher : Disabled
Type:Hub, Total NBMA Peers (v4/v6): 4
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 13.0.0.1 10.0.0.2 UP 00:48:02 D 10.0.0.2/32
1 14.0.0.1 10.0.0.3 UP 00:38:43 D 10.0.0.3/32
1 15.0.0.1 10.0.0.4 UP 00:37:42 D 10.0.0.4/32
1 16.0.0.1 10.0.0.5 UP 00:36:53 D 10.0.0.5/32
Crypto Session Details:
--------------------------------------------------------------------------------
Interface: Tunnel0
Session: [0x111FD390]
Session ID: 0
IKEv1 SA: local 11.0.0.1/500 remote 13.0.0.1/500 Active
Capabilities:(none) connid:1024 lifetime:23:11:57
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 13.0.0.1
IPSEC FLOW: permit 47 host 11.0.0.1 host 13.0.0.1
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 776 drop 0 life (KB/Sec) 4271102/717
Outbound: #pkts enc'ed 786 drop 0 life (KB/Sec) 4271099/717
Outbound SPI : 0x2B46091A, transform : esp-256-aes esp-sha256-hmac
Socket State: Open
Interface: Tunnel0
Session: [0x111FD488]
Session ID: 0
IKEv1 SA: local 11.0.0.1/500 remote 14.0.0.1/500 Active
Capabilities:(none) connid:1025 lifetime:23:21:16
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 14.0.0.1
IPSEC FLOW: permit 47 host 11.0.0.1 host 14.0.0.1
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 588 drop 0 life (KB/Sec) 4358239/1276
Outbound: #pkts enc'ed 595 drop 0 life (KB/Sec) 4358237/1276
Outbound SPI : 0x969B3DA9, transform : esp-256-aes esp-sha256-hmac
Socket State: Open
Interface: Tunnel0
Session: [0x111FD678]
Session ID: 0
IKEv1 SA: local 11.0.0.1/500 remote 15.0.0.1/500 Active
Capabilities:(none) connid:1026 lifetime:23:22:17
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 15.0.0.1
IPSEC FLOW: permit 47 host 11.0.0.1 host 15.0.0.1
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 565 drop 0 life (KB/Sec) 4204301/1337
Outbound: #pkts enc'ed 577 drop 0 life (KB/Sec) 4204298/1337
Outbound SPI : 0x495100D3, transform : esp-256-aes esp-sha256-hmac
Socket State: Open
Interface: Tunnel0
Session: [0x111FD580]
Session ID: 0
IKEv1 SA: local 11.0.0.1/500 remote 16.0.0.1/500 Active
Capabilities:(none) connid:1027 lifetime:23:23:06
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 16.0.0.1
IPSEC FLOW: permit 47 host 11.0.0.1 host 16.0.0.1
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 549 drop 0 life (KB/Sec) 4372132/1386
Outbound: #pkts enc'ed 564 drop 0 life (KB/Sec) 4372128/1386
Outbound SPI : 0x816AB9E2, transform : esp-256-aes esp-sha256-hmac
Socket State: Open
Pending DMVPN Sessions:
hub-0#
The show dmvpn detail
command gives you a summary of everything except ISAKMP information. In addition, it will give you nonbroadcast multiaccess (NBMA) peer information, which is made possible via NHRP.
Because we are using Phase 2, NHRP is very critical. When configuring the spoke mGRE interface, we used the ip nhrp map 10.0.0.1 11.0.0.1
command. That command allows the spoke to have a static entry of the hub in the NHRP cache, which in turn allows the spoke to get to the hub local network. You can see the cache entry by using the show ip nhrp
command. Notice that it is set to never expire
.
spoke-0#show ip nhrp
10.0.0.1/32 via 10.0.0.1
Tunnel0 created 00:49:21, never expire
Type: static, Flags: used
NBMA address: 11.0.0.1
But why don’t you see the other entries of the other spokes? The reason is that the entries are dynamic, and they expire over time. In order to see the entries, you will need to access the local networks on the spokes by sending traffic like an Internet Control Message Protocol (ICMP) ping.
spoke-0#ping 172.16.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/3 ms
spoke-0#ping 172.16.3.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 26/30/34 ms
spoke-0#ping 172.16.4.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.4.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/33/47 ms
spoke-0#ping 172.16.5.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.5.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/34/50 ms
After the ICMP ping is complete for each spoke local network, you will now see the dynamic entries in the NHRP cache. Notice that they have expire
timers.
spoke-0#show ip nhrp
10.0.0.1/32 via 10.0.0.1
Tunnel0 created 00:49:52, never expire
Type: static, Flags: used
NBMA address: 11.0.0.1
10.0.0.3/32 via 10.0.0.3
Tunnel0 created 00:00:08, expire 00:02:56
Type: dynamic, Flags: used temporary
NBMA address: 11.0.0.1
10.0.0.4/32 via 10.0.0.4
Tunnel0 created 00:00:05, expire 00:02:59
Type: dynamic, Flags: used temporary
NBMA address: 11.0.0.1
10.0.0.5/32 via 10.0.0.5
Tunnel0 created 00:00:03, expire 00:03:01
Type: dynamic, Flags: used temporary
NBMA address: 11.0.0.1
spoke-0#